Google researchers have outlined a sophisticated hacking operation that exploits vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some of the abuses were zero days, meaning they targeted vulnerabilities that were unknown to Google, Microsoft, and most researchers at the time (both companies have since fixed the security flaws). The hackers carried out the abuse through waterhole attacks, which endanger sites visited by the targets of interest and adorn the sites with code that installs malware on visitors’ devices. On the websites used, two user servers are used, one for Windows users and the other for Android users.
Not your average hackers
The use of zero days and complex infrastructure is not in itself a sign of refinement, but it shows an above-average skill by a professional team of hackers. Combined with the robustness of the attack code – which effectively tied multiple operations together – the campaign shows that it was carried out by a ‘highly sophisticated actor’.
“These utility chains are designed for efficiency and flexibility through their modularity,” wrote a researcher from Google’s Project Zero research team. ‘It’s a complicated, intricate code with a variety of new mining methods, mature logging, sophisticated and calculated post-exploitation techniques, and a large amount of anti-analysis and target checks. We believe that expert teams have designed and developed these exploitation chains. ”
The researcher said that the modular use of the payloads, the interchangeable use chains and the recording, target and maturity of the operation distinguish the campaign.
The four zero days exploited were:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan (Fixed February 2020)
- CVE-2020-0938 – Font Vulnerability in Windows (Resolved April 2020)
- CVE-2020-1020 – Font Vulnerability in Windows (Compiled in April 2020)
- CVE-2020-1027 – Windows CSRSS Security Leak (Fixed April 2020)
The attackers obtained remote code execution using the Chrome zero-day and several recent Chrome vulnerabilities. All the zero days were used against Windows users. None of the attack chains targeted at Android devices took advantage of zero days, but Project Zero researchers said the attackers probably had Android zero days at their disposal.
The diagram below provides a visual overview of the campaign that took place in the first quarter of last year:
In total, Project Zero published six episodes in which the researchers found how they utilized the loads and post-exploitation. Other sections provide a description of a Chrome infinity error, the Chrome exploits, the Android exploits, the post-Android exploitation payloads, and the Windows exploits.
The aim of the series is to help the security community in general to combat complex malware operations more effectively. “We hope this blog post series gives others an in-depth look at exploiting an actual, mature and presumably well-available actor,” wrote researchers from Project Zero.